Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC

Bug 504462 (CVE-2014-0467)

Summary: <mail-client/mutt-1.5.22-r3: heap-based buffer overflow when parsing certain headers (CVE-2014-0467)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: grobian, misha, net-mail
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1075860
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-03-13 08:55:25 UTC
From ${URL} :

The Debian DSA-2874-1 security advisory (http://www.debian.org/security/2014/dsa-2874) corrected an 
overflow in the mutt mail reader. Analysis of the crash reveals this is likely a heap-based buffer 
overflow in the mutt_copy_hdr() function. Opening a specially-crafted mail message could cause mutt to 
crash or, potentially, execute arbitrary code. The fix looks to be as follows:

+diff -r 3d5e23a66a1a -r 9bf7593e3c08 copy.c
+--- a/copy.c   Thu Oct 24 09:55:36 2013 -0700
++++ b/copy.c   Tue Mar 11 09:40:09 2014 -0700
+@@ -254,6 +254,7 @@
+     {
+       if (!address_header_decode (&this_one))
+       rfc2047_decode (&this_one);
++      this_one_len = mutt_strlen (this_one);
+     }
+     
+     if (!headers[x])
+

(Note as this is copied from the Debian diff, it is actually a one line change of "this_one_len = 
mutt_strlen (this_one);")

From brief testing on Red Hat Enterprise Linux 6, the message's headers had to be viewed (via the "h" 
command) in order to trigger the issue.

Original report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708731


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Alexander Vershilov (RETIRED) gentoo-dev 2014-03-13 20:52:39 UTC
mutt is bumped with grobian`s permission.
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2014-03-13 21:02:04 UTC
Arches, please test and stabilize:
=net-mail/mutt-1.5.22-r3.ebuild
Target arches: alpha amd64 hppa ia64 ppc ppc64 sparc x86
Comment 3 Jeroen Roovers gentoo-dev 2014-03-14 15:14:33 UTC
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2014-03-15 13:16:25 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-03-15 13:16:46 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-03-16 11:08:20 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-03-18 16:08:17 UTC
ia64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-03-19 14:14:06 UTC
alpha stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-03-24 14:30:37 UTC
ppc64 stable
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-04-29 20:08:42 UTC
CVE-2014-0467 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0467):
  Buffer overflow in copy.c in Mutt before 1.5.23 allows remote attackers to
  cause a denial of service (crash) via a crafted RFC2047 header line, related
  to address expansion.
Comment 11 Agostino Sarubbo gentoo-dev 2014-05-14 16:11:36 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Yury German Gentoo Infrastructure gentoo-dev Security 2014-05-20 03:42:34 UTC
Arches and Mainter(s), Thank you for your work.

Added to an existing GLSA request.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2014-06-05 01:00:53 UTC
This issue was resolved and addressed in
 GLSA 201406-05 at http://security.gentoo.org/glsa/glsa-201406-05.xml
by GLSA coordinator Chris Reffett (creffett).